Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RKinsp
Contributor

SSH session limit to Management Server

Good morning everyone!

Is there any way to limit SSH sessions to the management server? The post below has a way to limit to the gateways using QoS blade.

https://community.checkpoint.com/t5/Security-Management/Is-there-a-way-to-limit-concurrent-SSH-sessi...

Thanks,

RK!

 

 

 

0 Kudos
6 Replies
the_rock
Advisor

Never heard of anything like that...I dont believe you can do this in the rule with an action option, as it does not give the ability to set the numbers of connection attempts. Let me do some research, its interesting inquiry though : )

 

Andy

0 Kudos
Bob_Zimmerman
Advisor

Note: the following is generally a bad idea.

You could always limit the number of pseudoterminals. sshd can only start a shell for a user if there is an available pseudoterminal "device". The max number is set with a sysctl. To see what it's currently set to, use

cat /proc/sys/kernel/pty/max

To change it short-term, you can use something like this:

echo "10" > /proc/sys/kernel/pty/max

To make it persist across reboots, you would have to set it in your sysctl.conf using the standard syntax.

Again, doing this is probably a bad idea. If all the pts devices get consumed, you won't be able to open a session to raise the limit, so you could be locked out. Be absolutely sure you are willing to accept the risk of not being able to fix something quickly when it breaks.

If it goes badly wrong, you should still be able to boot into single-user mode, mount the drive, remove the line from your sysctl.conf, and reboot. This requires hands on the system or a good LOM card (and I wouldn't call Check Point's LOM cards "good").

0 Kudos
RKinsp
Contributor

Since you mentioned sshd, I took a look in the sshd_config file. It does have a "MaxSessions" field commented out.

Anybody ever play with this option?

#LoginGraceTime 2m
PermitRootLogin yes
StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

0 Kudos
the_rock
Advisor

Now that you mentioned that, I did check on my lab and its the same thing...so, what you COULD do is this. Remove # in front of max sessions, as that will omit number of tries all together, but first, save the original file. I actually did something similar to change ssh port few months ago.

0 Kudos
Bob_Zimmerman
Advisor

MaxSessions is related to session multiplexing. OpenSSH has the ability to run multiple sessions over a single TCP connection. That setting controls how many sessions you can multiplex like that. If you're trying to limit the number of connections overall, this option won't help.

If you see that option in your sshd_config, I'm pretty sure you're on GAiA 3.10 (R80.30 management, or R80.40). If that's the case, you have OpenSSH 7.8p1, and this is the appropriate manual for sshd_config:

https://man.openbsd.org/OpenBSD-6.3/sshd_config

0 Kudos
Vladimir
Champion
Champion

If yur management server is behind gateway, you can add the destination in the QOS rule.

If it is not behind gateway, though, there are some tricky Linux settings that may be used, but I doubt that those are supported by Check Point.

0 Kudos